When they say you gotta catch ’em all, Pokémon Go‘s developers may have meant catching complete control of every user’s entire Google account—largely in secret, without letting users know up front exactly what the app can do.
Today’s most popular mobile game lets users login through their Google accounts, but it fails to specify how Pokémon Go and Niantic, the company that’s working with Nintendo to develop the game, are going to use that account. The answer, researcher Adam Reeve reported, is that Pokémon Go can do almost anything with your account.
The app can read your email, send email as you, access your Google Drive, read your Google Search and Maps history, and look at private photos. All of that comes without any specific notification to you about how much of your data they’re opening up.
Furthermore, a users’ Google’s Connected Apps page doesn’t list Pokémon Go, so users can’t figure it out through that avenue either.
“Now, I obviously don’t think Niantic are planning some global personal information heist,” Reeve wrote. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies.”
Niantic Labs was owned by Google until late 2015.